Hi,
Below is the connector definition, we had 1 case reported that we know of
but during the reported incident couldn't find anything in the logs during
the transactions. We haven't been able to reproduce the issue. We do have
another environment that was added into the mix and handles the
authentication piece. So we receive information back from them which
provides the necessary data to CAS SSO to send to the client app that
initiated the request. We did have conversations with them and they did
mention the possibility of session information for another user being
provided back. We installed haveged to help us have sufficient entropy.
When we first encountered something like we handled authentication locally
on the environment and we saw errors in the tomcat logs, this time
authentication is handled externally and there are no errors found in the
log.
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
SSLEnabled="true" maxHttpHeaderSize="40960" connectionTimeout="20000"
maxThreads="450">
<SSLHostConfig
ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
honorCipherOrder="true" protocols="TLSv1.2"
disableSessionTickets="true">
<Certificate
certificateKeystoreFile="xxxxx"
certificateKeystorePassword="xxxxxxx"
type="RSA" />
</SSLHostConfig>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>
Thanks!
On Fri, Jan 15, 2021 at 11:05 AM Olaf Kock <tom...@olafkock.de> wrote:
>
> On 15.01.21 15:57, juan wrote:
> > Hi,
> >
> > We were running tomcat 8.5.57 on CentOS 7 and together with CAS SSO, we
> > have multiple servers behind an AWS load balancer setup with sticky
> > sessions. We encountered a weird situation where a user who logged into
> > their application was presented with another users profile after login.
> Has
> > anyone encountered something similar to this? Both users hit the same
> > tomcat server seconds apart and the user was on his personal computer and
> > doesn't know the first user.
>
> I've seen stuff like this happening when a reverse proxy was over-eager
> in caching stuff that it saw. 100% of cases where I've seen this
> behavior had this as a root cause.
>
> "over-eager" might mean that Tomcat (e.g. your app) doesn't signal the
> upstream proxy that the content is private, or the upstream proxy
> ignoring such signals.
>
>
> It's been a looooong time since I last saw it (and back then I didn't
> fix it myself - just provided information like the above) so I barely
> remember the key points to configure or look after. Maybe it helps
> already, otherwise we'll have to wait for someone to point to the usual
> suspects in the individual configurations.
>
> Olaf
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
